t 


Freedom of Information 

and 

Privacy Acts 

FOIPA# 1056287 and FOIPA#1056307-1 
Subjects : DCS-3000 and RED HOOK 
File Number: DIVISION CDs 
Section: 6 



Federal Bureau of Investigation 


Goals and Objectives 



Interim Solutions for 
Telecommunications Intercepts 


Goals and Objectives 


b6 

b7C 
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Electronics Engineer 



Goals and Objectives 



Purpose 


The ISTIC is an introductory course on 
CALEA intercept techniques and 
procedures. Upon completion of this 
course students should have a basic 
understanding of the CALEA Paradigm 
and specific training on the 
implementation of CALEA pen register 
collections utilizing the DCS 3000 suite 
of applications. 




Goals and Objectives 



Background 


The Switch Based Intercept Team is 
responsible for the development, 
deployment and maintenance of telephone 
switch-based ELSUR capabilities 


DCS 3000 is the current interim solution 
used by the FBI 


The FBI is investigating and deploying other 
options from outside vendors 
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Goals and Objectives 



Goals and Objectives 


Educate TTAs on: 

• Technologies utilized, FBI equipment needed, 
connection information for service providers, 
DCS 3000 application hardware, operating 
system, and infrastructure needed for 
implementation and maintenance 

• Current issues affecting ELSUR operations 


Enable “graduates” to implement and 
maintain switch based intercepts in their 
field divisions with specific training on the 
DCS 3000 system 
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Interim Solutions For Telecommunications Intercepts Course 


Engineering Research Facility 
Quantico, Virginia 

August 10 - 19, 2004 


PURPOSE: This course is designed to reduce the demands placed on TICTU by 
establishing a cadre of interim solutions subject matter experts 


BACKGROUND: 

• TICTU responsibilities include the development, deployment and support of advanced 
interception applications to FBI field office throughout the country. 

• TICTU has provided similar support, on request, to other federal, state and local agencies 

• DCS-3000 is the current interim solution used by the FBI as the FBI continues to investigate 
other options. 


DILEMMA: 

♦ There has been an increase in requests for assistance from agencies outside the FBI due to 
the increasing popularity of PCS service in the United States. 

♦ The volume of support requests threaten to interfere with the primary functions of TICTU: 

- Providing support to bureau field offices, and 

- Conducting R&D to keep pace with evolving technologies 


COURSE GOALS AND OBJECTIVES: 

♦ This course was designed to help reduce the number of request for assistance, thereby 
allowing TICTI to concentrate on its primary responsibilities 

♦ This course will provide information on: 

- Personal Communications Services 

- Technologies utilized by service providers 

- All aspects of the DCS-3000 application, including the hardware, operating system and 
infrastructure necessary to deploy and maintain it 

- Current issues affecting ELSUR operations 

♦ "Graduates" will be able to fully support their own DCS-3000 installations 

♦ Attendees may be called upon to train counterparts in neighboring and/or related agencies 
in subsequent DCS-3000 deployments. Demands will be reasonable 

♦ Only through this educational approach can TICTU continue to provide the level of 
technical assistance requested by agencies outside the FBI 

All INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 05-24-200? BY 65179 DHH/TAH/K3R/ cb 





ELSUR / Service Provider Cooperation 



Interim Solutions for 
Telecommunications Intercepts 


ELSUR / Service 
Provider Cooperation 


ALL INFORHATIOH CONTAINED 

HEBE IN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DHH/TAM/KSF/cb 


b6 


Senior Consultant 



ELSUR / Service Provider Cooperation 






ELSUR / Service Provider Cooperation 



Switch Based Intercept Team 

Web Site on LEO 

Resources 


. DCS-3000 

• Manual 

• Release Notes 


• Reference Materials 

• Carrier-Specific ELSUR Material 

• LER Guides/POC Information 

• CALEA Worksheets/Fax Coversheets 

• CALEA Data 

• FCC License Information 
a Course Materials 

• ISTIC 

• Regional Training Seminars 
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Packet Assembler / Disassember 


i 1'T. ifTl lnterim Solutions for 

Telecommunications Intercepts 


Packet Assembler / 
Disassember 


AH INFOPHATION COUTAIHEIi 

HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DHH/TAB/KSR/cb 


Electronics Technician 




Packet Assembler / Disassembler 






Intercepts Process 





Intercepts Process 


Overview 


Request / Install 
DCS-3000 Software 


r 

Define Carrier & Law 
Enforcement Site 
Requirements 


r 

Create IP Address 
Scheme & Port/Socket 
Numbering Plan 




Gather Carrier 
Information 



identify 1 Procure 
Hardware and Software 



Install Monitoring 
Facility Hardware and 
Software 




Create Interconnection 
Plan / Review with 
Carrier 



Identify / Order 
Interconnect Circuits 



Install Carrier Facility 
Hardware 






Test 






Intercepts Process 





Request/I nsta 1 1 DCS-3000 Software 


• Request current copy of DCS-3000 software 
from ERF 

• Follow authentication procedures to install 
software 





Intercepts Process 



Intercepts Process 





Intercepts Process 







Intercepts Process 








Intercepts Process 





Intercepts Process 




Intercepts Process 





Intercepts Process 







Intercepts Process 







Intercepts Process 
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Intercepts Process 


Discussion 


Request / Install 
DCS-3000 Software 


r 

Define Carrier & Law 
Enforcement Site 
Requirements 



Create IP Address 
Scheme & Port/Socket 
Numbering Plan 





Gather Carrier 
Information 



Identify / Procure 
Hardware and Software 



Install Monitoring 
Facility Hardware and 
Software 





Create Interconnection 
Plan / Review with 
Carrier 



Identify / Order 
Interconnect Circuits 



Install Carrier Facility 
Hardware 





QUESTIONS ? 
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DCS3000 V er 4.2e CDNRS Record Format 


Field 

Number 

Field Size 

Position 

Field Contents 

Field Description 

1 

5 

1-5 

DCSPC 

Record header 

2 

1 

7 

CorR 

Cleansed or raw 

3 

10 

8-17 

Digits 

Target number 

4 

8 

19-26 

mm/dd/yy 

Call date 

5 

8 

28-35 

hh:mm:ss 

Start time 

6 

8 

37-44 

hh:mm:ss 

End time 

7 

8 

46-53 

hh:mm:ss 

Duration 

8 

8 

55-62 

hhimm.ss 

Ring time 

9 

3 

64-66 

Blanks 


10 

20 

68-87 

Blanks 


11 

1 

89 

0 (outgoing) 

1 (incoming) 

N (incoming unans) 
U (outgoing unans) 

Call type 

12 

1 

91 

Blank 


13 

1 

93 

Blank 


14 

40 

95 - 135 


Associate number 

15 

3 

137-139 

Blank 


16 

3 

141 - 143 

Blank 


17 

4 

145 - 148 

Blank 


18 

15 

150-164 

Blank 


19 

25 

166-190 


Case ID ( target number) 

20 

1 

192 

YorN 

Voice present 

21 

1 

194 

Blank 


22 

8 

196 - 203 

Blank 


23 

1 

205 

Blank 


24 

20 

207 - 226 


Forward from call 

25 

20 

228 - 247 


Forward to call 

26 

20 

249 - 268 


Name of server 

27 

40 

270 - 309 


Warrant ID (target IMSI) 

28 

20 

311-330 


Cell ID 
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Intercepts Process 


Page 1/2 


Request / Install 
DCS-3000 Software 


Gather Carrier 
Information 


Create 

Interconnection 

Plan 

Review with Carrier 


Define Carrier and 
Law Enforcement 
Site Requirements 


Identify/Procure 
Hardware and 
Software 


• Request current copy of DCS-3000 
software 

• Follow authentication procedures to 
^ — install software 


• Establsh primary points of contact for legal 
and technical issues 

• Define carrier’s areas of service 

• Identify switching platform (vendor, model, 
software version) 

• Identify interconnection requirements (i.e., 
firewall, dial-up restrictions, centralized, etc.) 

• Policies and procedures 


Roaming partner identification 
Fee schedule 

Future switch/software upgrade 
plans 

Fail-safe measures (e.g., what data 
can carrier provide if 
interconnection disrupted?) 


Define carrier configuration (centralized, 
decentralized, etc.) 

Identify specific interconnection locations 
(“Points of Presence”) per switch/market 


• Reporting/resolving after-hour 
technical difficulties 

• Court orders: Acceptance by fax? 
^Court orders: Preferred wording? 


• Equipment location (router, modem, etc.) 

■ Uninterruptable power source 

• Location of terminating telco circuit (leased 
line or POTS) 

• Responsibility for cable runs 

• Access and security 


• Server/Client PC(s) 

• Operating system software (Windows NT) 

• Routers 

• Modems 

• Interconnection cables 

Title III interface card(s), if necessary 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DHH/TAH/KSR/cb 



Intercepts Process 


Page 212 


Identify/Order 

Interconnect 

Circuits 


Create IP Address 
Scheme and 
Port/Socket 
Numbering Plan 


Install Monitoring 
Facility Hardware 
and Software 


Install Carrier 
Facility Hardware 


Test 




CDC Circuits: Ringdown, POTS line at 
provider and CMP, ISDN 
CCC Circuits: Dial-up, leased line, may be 4 
wire in middle 


• Obtain IP address from service provider 

• Determine IP addresses for Ethernet and 
serial ports on router 


• Monitoring equipment and software are 
installed in coordination with service provider 


Coordinate with carrier in advance (during or 
after regular business hours) 

Advise carrier of LE personnel who will 
attend) 

Have personnel available at monitoring 
facility for troubleshooting/testing 


• Connectivity 

• Handset-based functional test for 
proper messaging 



AGENDA 


Interim Solutions For Telecommunications Intercepts Course 

Engineering Research Facility 
Quantico, Virginia 

August 5 -16, 2002 


DAY ONE Monday, August 5, 2002 


Time 

9:00 am 
9:30 am 
10:30 am 
10:45 am 
11:45 am 
12:15 pm 
1:30 pm 
2:30 pm 
2:45 pm 
4:00 pm 


Welcome / Review of Course Goals & Objectives 

Introduction to GSM Infrastructure 

BREAK 

Introduction to ISDN 

Agency / Service Provider Cooperation 

LUNCH 

Packet Assembler / Disassembler (PAD) 

BREAK 

Courier "V. Everything" Modem Configuration 
Questions & Answers 


Instructor 


b6 

b7C 


DAY TWO Tuesday, August 6, 2002 


Time 

9:00 am 
9:15 am 
10:45 am 
11:00 am 
12:30 pm 
1:30 pm 
3:15 pm 
3:30 pm 
4:45 pm 


Topic Instructor 

Review / Goals and Objectives for Day 
Fundamentals of Cisco Router Configuration 
BREAK 

Fundamentals of Cisco Router Configuration (cont'd) 

LUNCH 

Fundamentals of Cisco Router Configuration (cont'd) 

BREAK 

Fundamentals of Cisco Router Configuration (cont'd) 

Questions & Answers 


b6 

b7C 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 ET 65179 DMH/TAH/KSR/cb 






AGENDA (continued) Interim Solutions For Telecommunications Intercepts Course 


DAY THREE Wednesday, August 7, 2002 


Time 
9:00 am 
9:15 am 
10:45 am 
11:00 am 
12:30 pm 
1:30 pm 
3:15 pm 
3:30 pm 
4:45 pm 

Topic 

Instructor 

Review / Goals and Objectives for Day 
Fundamentals of Cisco Router Configuration (cont'd) 
BREAK 

Fundamentals of Cisco Router Configuration (cont'd) 
LUNCH 

Fundamentals of Cisco Router Configuration (cont'd) 
BREAK 

Fundamentals of Cisco Router Configuration (cont'd) 
Questions & Answers 



DAY FOUR 

Thursday, August 8, 2002 

Time 

Topic 

Instructor 

9:00 am 

Review / Goals and Objectives for Day 



9:15 am 

Windows 2000 Operating System 



11:15 am 

BREAK 



11:30 am 

DCS-3000 Implementation Process 



12:30 pm 

LUNCH 



1:30 pm 

Advanced Carrier Solutions 



3:30 pm 

Questions & Answers 




DAY FIVE 
Time 
9:00 am 
9:15 am 
11:15 am 
11:30 am 
12:30 pm 
1:30 pm 
3:30 pm 
3:45 pm 
4:45 pm 


Friday, August 9, 2002 

Topic Instructor 

Review / Goals and Objectives for Day 
DCS-3000 Application Overview 
BREAK 

DCS-3000 Application Overview (continued) 

LUNCH 

Router Scripts and Programming Routers 
BREAK 

2610 Router Lab 

Questions & Answers / Week 1 Evaluation & Review 


b6 

b7C 


b6 

b7C 


b6 

b7C 
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AGENDA (continued) 


Interim Solutions For Telecommunications Intercepts Course 


Page 3 of 5 




AGENDA (continued) 


Interim Solutions For Telecommunications Intercepts Course 


DAY SIX 

Monday, August 12, 2002 

Time 

Topic 

9:00 am 

Review / Goals and Objectives for Day 

9:15 am 

DCS-3000 Hands-On / Practical Application 

12:00 pm 

LUNCH 

1:00 pm 

DCS-3000 Hands-On / Practical Applications 

4:30 pm 

Questions & Answers 

DAY SEVEN Tuesday, August 13, 2002 

Time 

Topic 

9:00 am 

Review / Goals and Objectives for Day 

9:15 am 

Router Debugging 

10:15 am 

BREAK 

10:30 am 

Basic Troubleshooting 

12:30 pm 

LUNCH 

1:30 pm 

DCS-3000 Hands-On / Practical Application 

4:30 pm 

Questions & Answers 




b6 

b7C 


b6 

b7C 


DAY EIGHT Wednesday, August U, 2002 

Time Topic Instructor 

9:00 am Review / Goals and Objectives for Day 
9:15 am DCS-3000 Hands-On / Practical Applications (continued) 

12:30 pm LUNCH 

1:30 pm Review of Log Files, CDNRS, Log Summary, etc. 

2:45 pm BREAK 

3:00 pm Spotlight on Nextel 

4:00 pm Questions & Answers 


b6 

b7C 


Page 4 of 5 





AGENDA (continued) 


Interim Solutions For Telecommunications Intercepts Course 


DAY NINE Thursday, August 15, 2002 

Time Topic 

9:00 am Review / Goals and Objectives for Day 
9:15 am VANguard Hands-On / Practical Applications 
12:30 pm LUNCH 

1:30 pm Review of Log Files, CDNRS, Log Summary, etc. 

2:45 pm BREAK 

3:00 pm Vendor Presentation 

4:00 pm Questions & Answers / Week 2 Evaluation & Review 


DAY TEN 


Time 

9:00 am Course Review 
10:00 am Tour ERF 
12:30 pm LUNCHEON 


Friday, August 16, 2002 
Topic 


Page 5 of 5 






Federal Bureau of Investigation 

Telecommunications Intercept and Collection Technology Unit 


< r*‘> ; '-w** 


• Interim Solutions for Telecommunications Intercepts 


July 2004 


A. Background 

Within the Federal Bureau of Investigation, the Telecommunications Intercept and Collection Technology 
Unit (TICTU) is the primary technical resource for the court-authorized interception of wireline and wireless 
communications. In late 1996, TICTU spearheaded the development of a unique telecommunications access 
program called “DCS-3000,” a system capable of interfacing with the switching facilities of many wireless carriers 
that deploy new digital technologies and offer their subscribers diverse “Personal Communications Services.” As 
the complex issues associated with the Communications Assistance for Law Enforcement Act (CALEA) are 
addressed, the DCS-3000 has evolved into a viable interim solution. In some cases this software has become a 
critical component of CALEA compliant installations. 

Today, DCS-3000 systems are efficiently serving the majority of FBI field offices throughout the country. 
In addition, TICTU informally supports a growing number of installations for other federal, state and local law 
enforcement agencies. Limited unit resources and growing interest in the system have spurred the creation of a 
formalized training endeavor. This training effort is establishing a network of regional law enforcement specialists 
who are adept at all aspects of the DCS-3000 application, from installation and testing to training and trouble- 
shooting. Upon course completion, these Subject Matter Experts will be fully capable of maintaining their own 
agency installations and, on occasion, may be called upon to assist other area agencies in the implementation and 
maintenance of the application. This efficient “task force” approach will ensure that non-FBI agencies will 
continue to benefit from the research and development efforts of the Telecommunications Intercept and Collection 
Technology Unit. 

B. Course Information 

The Interim Solutions for Telecommunications Intercepts course is hosted at the Engineering Research 
Facility on the grounds of the FBI Academy in Quantico, Virginia. Classroom instruction is supplemented with lab 
work using bureau-provided equipment. The following is a sampling of topics included in the program of study: 

• Installation and Configuration of Windows NT Operating System 

• Leased and Dial-up Circuits 

• Network Fundamentals / IP Addressing 

• Router and Modem Configurations 

• Router Debugging and Basic Troubleshooting Techniques 

• DCS-3000 Software Installation, Testing and Troubleshooting 

• DCS-3000 Operation and Maintenance 

• Hands on Practical Exercises 


Oil. doc AIL INFORMATION C GUTA IHED Page ! 

HEREIN 13 UNCLASSIFIED 
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C. Cost Information 


The Federal Bureau of Investigation funds the two-week course of instruction, furnishes comprehensive 
course materials (including a course binder and CD-ROM), and provides lunchtime meals. Accommodations at the 
FBI Academy or local motel and additional meals are provided for out-of-town attendees. Participant host 
agencies are responsible for transportation expenses. 

D. Participant/Agencv Qualifications 

The technical and sensitive nature of this training program necessitates that each participant meets several 
prerequisites, as explained below. To maximize training resources, applicants should expect to continue to 
personally conduct electronic surveillance operations for at least 12 months following training. Each applicant will 
be evaluated independently prior to acceptance for the course. 

1 . Participation is limited to practitioners whose technical responsibilities specifically include the actual 
implementation of court-ordered electronic surveillance activities. This course is not a planning or 
administrative endeavor. 

2. Participant agencies must have a history of conducting such electronic surveillance operations using 
CALEA techniques within the past six months. 

3. This is not an introductory computer course. Participants must be competent in the use of Microsoft 
Windows* (95, 98 or NT) operating systems. 

4. Familiarity with personal computers, peripherals and interconnection cables is essential. Various 
aspects of the course involve configuring computer components and cables. 

5. The employing agency and applicant must commit to the support of their own DCS-3000 system and 
agree to lend reasonable assistance in support of future installations of the DCS-3000 in their 
geographical area. 

E. DCS-3000 Software 

The DCS-3000 software is subject to distribution restrictions as established by the Department of Justice. 
Participants in the Interim Solutions for Telecommunications Intercepts course will NOT receive a copy of the 
software during the class. Instructions for requesting the software will be provided during the course. 

F. Course Dates 

Tuesday, August 10 through Friday, August 20, 2004. 

G. Application Process 

This training program is limited to ten participants per session. Additional qualified applicants will be 
considered for subsequent course offerings. Completed participant application forms as well as comments, 
questions or suggestions shoul d be directed to: 


Federal Bureau of Investigation b 6 

Engineering Research Facility b 7 c 

Building 27958-A 

Ouantieo. V A 22135 

Te| [Fax: | [ 
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COURSE TOPICS 


Interim Solutions For Telecommunications Intercepts Course 

Engineering Research Facility 
Quantico, Virginia 

August 10 - 20, 2004 


The following topics and activities are planned at this time for discussion during the 
Interim Solutions course (topics are subject to change): 


TECHNOLOGIES: 

♦ GSM 

• ISDN 


SOFTWARE: 

♦ Installing the DCS-3000 software 

♦ DCS-3000 Application Overview 

♦ Windows 2000 Operating System 

♦ Software and Audio Card Installation 

♦ VANGuard System 


HARDWARE: 

• Fundamentals of Cisco Router Configuration (2-day router course) 

• Router Scripts and Programming Routers 

• Router Debugging 

« Basic Troubleshooting 

• Courier "V.Everything" Modem Configuration 

• Protocol Assembler Disassembler 


MISCELLANEOUS TOPICS: 

♦ Advanced Carrier Solutions 

♦ DCS-3000 Implementation Process 

♦ Review of Log Files, CDNRS, Log Summary, etc. 

♦ Hands-on / Practical Application 

♦ 2610 Router Lab 

♦ Agency / Service Provider Cooperation 


TOUR OF ERF LAB: 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DMH/TAH/KSR/cb 
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EVALUATION FORM 

Interim Solutions for Telecommunicate) 
Intercepts Course 

August 10 - 19, 2004 



As a student in the third class of this type offered, your opinion is especially important in shaping this 
course. Please provide your comments below on the modules offered during this course and any specific 
recommendations for changes. 


Please circle your responses to the following questions using a rating scale of 1 - 5: 

1 - Strongly Disagree 3 - Agree S - Strongly Agree 


1 . Overall, the course provided a basic understanding of the CALEA paradigm 1 
and specific training using the DCS 3000 suite of applications. 

2. The binder materials were supportive in enhancing my understanding 1 

of the sessions? 

3. The length of the training was appropriate for the material to be presented. 1 

4. The ratio of lecture to hands-on was adequate. 1 


5. The subject matter in each session was covered at the level that met my needs. 1 

6. Overall, this course is a valuable instructional tool. 1 


2 3 4 5 

2 3 4 5 

2 3 4 5 

2 3 4 5 

2 3 4 5 

2 3 4 5 


7. Please comment on sessions presented that were most useful to you. Also, please comment on any sessions 
that you feel did not provide value: 


8. Please tell us what we should do differently for the next course (e.g., please comment on topics that 
should have more or less time devoted to them, thoughts on additional topics, areas that needed more 
or less hands-on or lecture, etc.): 


Your comments help us to improve the Interim Solutions for Telecommunications Intercepts Course. 
Thank you very much for taking the time to provide your comments. 

ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DHH/TAH/KSR/ CD 




Federal Bureau of Investigation 

Telecommunications Intercept and Collection Technology Unit 


Requesting Agency Information 

POC Name: Title/Rank: 

Office Telephone: Office Fax: 

Agency: 

Shipping Address: 

(No P.O. boxes - Software will be sent via FedEx) 


Justification 


DCS-3000 software is provided by the FBI solely in support of cases in which a valid court authorization for 
electronic surveillance activities is in effect 

Request is for: New Installation Software Upgrade (if upgrade, current version is 

installed on computers) 


Supervisor Approval and Certification 

I certify that the above information is true and correct, that the use of the DCS-3000 software will be limited to 
use by this agency pursuant to court authorization, and agree to properly safeguard the software against 
unauthorized duplication. I understand that reproduction or distribution of this software is expressly prohibited. 

Title/Name of Immediate Supervisor: 

Office Telephone: 

Supervisor Signature: 


OFFICE USE 

TICTU POC: Client Version: 

Date Software Sent: Multiserver Version: 

FedEx Tracking Number: VANGuard: 


ALL INFORMATION CONTAINED 
DCS-3000 Request Fomi.doc HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DHH/TAH/KSR / cb 
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Switch Based Intercepts Course 




Federal Bureau of Investigation 

Electronic Surveillance Technology Section 

Telecommunications Intercept and Collection Technology Unit 


Switch Based 


Intercepts Course 



All INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DHH/TAH/KSR/cb 


Electronics Engineer 



Switch Based Intercepts Course 


( 33 ® Purpose 




The SBIC is an introductory course on 
CALEA intercept techniques and 
procedures. Upon completion of this 
course students should have a basic 
understanding of the CALEA Paradigm 
and specific training on the 
implementation of CALEA pen register 
collections utilizing the DCS 3000 suite 
of applications. 





Switch Based Intercepts Course 



Background 




The Switch Based Intercept Team is 
responsible for the development, 
deployment and maintenance of telephone 
switch-based ELSUR capabilities 


DCS-3000 is the current interim solution 
used by the FBI 


The FBI is investigating and deploying other 
options from outside vendors 
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Switch Based Intercepts Course 



Goals and Objectives 


Educate TTAs on: 

• Technologies utilized, FBI equipment needed, 
connection information for service providers, 
DCS-3000 application hardware, operating 
system, and infrastructure needed for 
implementation and maintenance 

• Current issues affecting ELSUR operations 


Enable “graduates” to implement and 
maintain switch based intercepts in their 
field divisions with specific training on the 
DCS 3000 system 
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AGENDA 


SWITCH BASED INTERCEPTS COURSE 
July 19-20, 2005 


Tuesday, July 19, 2005 
TOPIC 

Welcome / Introduction 
Goals and Objectives 
Agency / Service Provider Cooperation 
Computer Proficiency 
BREAK 

Computer Proficiency (continued) 

LUNCH 

12:30 pm 1 I 

1 ;3 0 pm Advanced Carrier Solution 
2:30 pm BREAK 

2:45 pm Courier “v. every thing" Modem Configuration 
3:00 pm Modem Configuration and Hands-on Application 
3 : 1 5 pm Packet Assembler / Disassembler 
3:30 pm Introduction to the DCS 3000 Application Suite 
(w/Enhancements) 

5:00 pm Wrap-up/Questions and Answers 


Day One 

TIME 

9:00 am 
9:15 am 
9:30 pm 
9:45 am 
10:00 am 
10:15 am 
1 1 :30 am 


INSTRUCTOR 


b2 

b6 

b7C 

b7E 


Day Two Wednesday, July 20, 2005 

TIME TOPIC 

9:00 am Introduction to ISDN 
10:00 am CALEA Overview 
10:30 am BREAK 

10:45 am Event Messages and PTT Event Messages 
11:15 am [ | 

11:45 pm LUNCH 

1 2 :45 pm Hands-on Practical Application - Configuring 
Server and Client with Pre-programmed Router 
2:45 pm BREAK 

3 :00 pm Hands-on Practical Application - Review of Log Files, 
CDNRS, Log Summary 
4:00 pm Advanced DCS Topics 
4:45 pm Course Wrap-Up / Course Evaluation /Q & A 
5:00 pm Tour: DCS-3000 Lab 


INSTRUCTOR 


b2 

b6 

b7C 

b7E 


All INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 05-24-2007 BY 65179 DMH/TAH/KSR/cb 




ELSUR/Service Provider Cooperation 
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ELSUR/Service Provider Cooperation 







ELSUR/Service Provider Cooperation 


iSBIT Web Site 


/Subset of TICTU Web S ite) 


Access through FBI Net 


I nternet Explorer 





ELSUR/Service Provider Cooperation 


/Subset of TICTU Web S ite) 


iSBIT Web Site 


Resources 

• DCS-3000 

• Manual 

• Release Notes 

• Reference Materials 

• Carrier-Specific ELSUR Material 

•LER Guides/POC Information 
•CALEA Worksheets/Fax Coversheets 

• CALEA Data 

• FCC License Information 

• Course Materials 

•SBIC 

•Regional Training Seminars 
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DCS 3000 applications 


Collectively, the suite of DCS 3000 applications enables LEAs to intercept calls from 
telecommunications service providers. Each application has a specific purpose. 

The DCS applications work independently of each other and in some cases a separate 
workstation is used for each application. 

Not every DCS application is used during a surveillance operation. 


Client 

The Client is required for surveillance operations unless its capabilities are 
performed by a third-party application, such as a commercial collection platform. 

• Surveillance operations are interrupted or closed from the Client. 

The Client is used to: 

1. enter warrants 

2. collect incoming call related data (in a format suitable for use as evidence) 

3. record call content. 

The Client may collect data within the following guidelines: 

• Supports one Title 3, Cooperative Warrant, or Push-to-Talk (PTT) collection; 
OR supports multiple Pen Register collections 

• Connect to multiple (up to 35) Servers or MultiServers 


Server 

The Server receives data from the switch and routes that data to the Client. 

The Server is the only applicati on that can receive and route d ata for PTT calls. 
This application is utilized for i ~"fc all Data Channel 

(CDC) collection. The DCS3000 Server applicatioi h as protocol and interface 
modes specific for th q ■ I communications. This is 

TICTU’s primary pen-register interface for collections. 

The Server supports the following: 

• Multiple Title 3, Cooperative Warrant, or PTT collections 

• Multiple Pen Register collections 

• Multiple Client connections 

• Connection to one switch 



VDecoder 


The DCS3000 VDecoder application is a | VsctQj-S.um Excited Linear Predictor 
(VSELP) decode software for use with thel 
| 1 ' | delivery. The DCS30UU VDecoaer was me ursi 

applicationh for decoding ofi Zludio and is an essential application for 

TICTU in it’s current support of field operations. 


b2 

Multiserver b7E 

The MultiServer provides similar functionality as the Server and has the ability to 
connect to multiple switches 

The MultiServer application is a fundamental connection application profiding for 
a wide array of data delivery connections. The MultiServer has incorporated into 
its filters several generations of proprietary switch vendor data formats inclu ding 
switch manufacturers such as j | 

Along with the filtering and processing capabilities of the MultiServer application 
are several protocol interfaces for accessing the required CDC or pen register 
information. Currently, the MultiServer supports TCP/IP connections in a client 
mode, FTP with login mode, serial connection with password authentication 
mode, timed/request initiated connection mode and GR30 (Frequency Shift 
Keying using caller ID specifications) mode. These modes are all utilized to 
perform ongoing ELSUR collections. 

This application is also envisioned to be modified for future technology 
collections when tactically needed. 

The MultiServer does not support PTT collections. The MultiServer supports the 
following: 

• Multiple Title 3 and Cooperative Warrant collections 

• Multiple Pen Register collections 

• Multiple Client connections 


VANGuard 

The VANGuard buffers data fron j [ -compliant switches, and routes the b2 

"( formatted message to the Server or MultiServer. b71 

It enables Field Offices to collect data periodically via a dial-up modem rather 
than a leased circuit, which reduces circuit costs. 

While multiple switches connect to the VANGuard, the VANGuard connects to 
only one switch. 

This application is also used to monitor the status of current connections to the 
carrier’s switches. Users reset a connection if a problem is detected. 


2 



• • 

MultiVANGuard 

b2 

The MultiVANGuard buffers data from multiple I I switches, d?Z E 

sometimes is referred to as the Multiple-Switch VANGuard. 

Like the VANGuard, the MultiVANGuard enables Field Offices to collect data 
periodically via a dial-up modem rather than a leased circuit, which reduces 
circuit costs. 

The MultiVANGuard is a CDC distribution and primary server mode collections 
software. The MultiVANGuard has a proprietary redistribution technique based 
on case identification parameters. This software is cur rently the pathway for all 
CDC data collection s for service prov iders using the I I 

delivery system, the | [ delivery system , and several proprietary 

delivery systems being used by major wireless telecommunications carriers. 

Also, the MultiVANGuard integrates with the DCS 5000 and DCS 6000 systems 
for input of CDC information for collection. These systems currently must 
interface through the DCS3000 MultiVANGuard. There is no vendor system 
available to perform the functions of the DCS3000 MultiVANGuard. 

The VANGuard connects to up to 25 switches in the Connect mode and up to 100 
switches in the Listen mode. 

This application is also used to monitor the status of current connections to the 
carrier’s switches. Users reset a connection if a problem is detected. 
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EVALUATION FORM 



Switch Based Intercept Course 

July 19-20, 2005 



As a student in the third class of this type offered, your opinion is especially important in shaping this 
course. Please provide your comments below on the modules offered during this course and any specific 
recommendations for changes. 


Please circle your responses to the following questions using a rating scale of 1 - 5: 

1 - Strongly Disagree 3 - Agree 5 Strongly Agree 


1 . Overall, did the course provide a basic understanding of the CALEA paradigm 1 
and specific training using the DCS 3000 suite of applications? 

2. How supportive were the binder materials in enhancing your understanding 1 
of the sessions? 

3. Was the length of the training appropriate for the material to be presented? 1 

4. Was the ratio of lecture to hands-on adequate? 1 

5. Was the subject matter in each session covered at the level that met your needs? 1 

6. Overall, this course is a valuable instructional tool. 1 


2 3 4 5 

2 3 4 5 

2 3 4 5 

2 3 4 5 

2 3 4 5 

2 3 4 5 


7. We encourage you to visit our web-site. If you have, do you feel the N/A 1 2 3 4 5 

TICTU website provides information relevant to you? 


8. Please comment on sessions presented that were most useful to you. Also, please comment on any sessions 
that you feel did not provide value: 


9. Please tell us what we should do differently for the next course (e.g., please comment on topics that 
should have more or less time devoted to them, thoughts on additional topics, areas that needed more 
or less hands-on or lecture, etc.): 
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FBI 

Assessment Team Findings 
(Louisiana) 


New Orleans (6/14/04-6/18/04) : 

• Music CD's should not be placed in computers; Memory 
devices should be properly labeled; Unclassified disks 
in classified computers; Zipdrive attached to FBINet 
machine; Window views not properly screened; Visitors' 
logs not maintained 

• Computer in Technician's room not properly configured 
for access control (Log on) (Baton Rouge) ; iDEN 
CompanionPro terminal (NOFO) has no I&A. 

• Verify PointSec requirement for CART systems; Point Sec 
not installed on laptops 

• Portable peer-less USB/Firewire drive system found- a 
wireless security concern; Strong wireless access 
point readings (Alexandria, Lafayette) ; TACLAN too 
close to the CPU (Lake Charles) 

• Found numerous instances of collection systems (DCS 
3000 and DCS 5000) where no workstations or servers 
were labeled in accordance with security documentation. 

It is possible that the system is not operating within 
the boundaries described in the CONOPS/SSP for each 
system 

• IT positions not fully staffed. Presently short four 
positions, will be increased to five in the near 
future. Some RAs are increasing agent staff, but have 
not allocated additional space. Short staffing of 
critical technical positions increases the probability 
that security software and proper configuration of 
resources will be delayed or applied inconsistently. 

Overcrowding of personnel increases the probability 
that appropriate security procedures, such as securing 
sensitive information within FBI spaces, will not be 
observed consistently 

• Need policy and procedures to track equipment brought 
in by JTTF members (non-FBI personnel) 

• Verify C&A Status/classification of the NetSender 
Metrocall, FedEx, CATS, VCMO, FBIRD and HIDTA/JPSO 
ARMMS systems 

ALL IETFQRHATIOH CONTAINED 

HEPEIN IS UNCLASSIFIED 

DATE 06-05-2007 BY 65179DHH/K3R/HAJ 
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ID for 
June 

submission 

Name 

(Program 

Name) 

Includes these 
Systems' 

NIST FIPS 
199 Risk 
Impact Level 

Date C&A 
completed 

Date security 
controls tested 

Date 

contingency 
plan tested 

Comments 

FY08-027 

Collection 

1) DCS 3000 

2) DCS 5000 

3) DCS 6000 

1 1 Med 

2) High 

3) Med 

Differ than 
what it says in 

1)6/1/06 

2) 2/3/06 

3) 6/2/06 

1) 5/3/06 

2) 11/05 

3) 5/26/06 

1) 5/31/06 

2) 5/22/06 

3) 9/1/05(7) 

8 21: DCS 6000 is not on the FY2006 
FISMA list. 

9/1 Updated version did not 
incorporate my comments. 

FY08-028 

Systems 

Engineering 

Unknown - says 
SES/SOA 
prototype but I 
think it should 
include the T&D 

Information "j 






FYQ8-029 

IT 

Infrastructure 

Rebuild 

Portal 

TBD 

N/A 

N/A 1 

"n/a 

Planned operational date is 6/1 5/2007. 

FY08-030 

Enterprise 

Telephony 

PTSS (?) 

High 

7/21/05 

5/18/05 

5/31/06 

Business case listed various switches 
in the planning table that it calls 
operational - it wasn’t clear to me how 
what is in this business case relates to 
PTSS. 1 provided comments to the 
author and requested clarification. 
Dates 1 provided relate to PTSS. 

FY08-03 1 

CIO Enterprise 
Support 

N/A 
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Certification antf Accr.Mlitation.Status 


Accredited w/ Action Plan 

IATO 

Certified 


TS/SCI TS 


SBU 


UND Totals 


Apps) 

Annual Reid Office Report (AFOR) 
Anti-Drug Network (ADNET) 


wi Server Farm (ASF) (aka Mini-Server Faim)Secret 
ARACHNET Secret 


Automated Booking System (ABS) 
Automatic Call Distribution (ACD) 


Building Management System (BMS) 

Bureau Personnel Management System (BPMS) Senslbve But Unclassified 


Tuesday, July 13. 2004 


CJIS Operate 
IRD Interim 
ASD Operate 


Unclassified CJIS 


Original 

27-May-03 2 6- May-06 Original 

15-Apr-03 14-Jun-03 Original 

24-Oct-02 23-Oct-05 Original 

Original 
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ad wf Action Plan 


Undergoing Certification 

Accredited 

IATO 

Undergoing Certification 
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CLASSIFIED BY 6S179dnh/ksi:/maj 

BE A3 OH: 1.4 (G) 

DECLASSIFY OH: 05-29-2032 


ALL INFDPHATIOB C0HTAIHED 
HEPEIff IS OTCLASSIFIED EXCEPT 
OTERE SHOOT 0THER1TCSE 



System Classification CUST Approval 

Compute Assisted Facility Management System Sensitive But Unclassified ASO 
(CAFMS) 


m (aka AMAPP) Undetenr 

d Interface 100 (CI-100) (aka Spidemet, Secret 


Correspondence Management System (CMS) (aka S< 


Criminal Intelligence Information System (CHS) Secret 

Critical Reach (aka TRAK) Sensitive But Unclassified 

Cryptoanalysis Initiative Computer Net (Cl NET) Secret 


19-Aug-04 Original 
07-May-08 Original 


Data Collection System 5000 (DCS 5000) Secret 

Data Collection System 6000 (DCS 6000) (aka Digital Sensitive But Unclassified 
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For Official Use Only 
Operation Mavdav 


System 

(U) Data Collection System 3000 (DCS 3000) (aka 
CALEA (Communications Assistance to Law 
(U) Data Collection System 6000 (DCS 6000) (aka 
Digital Storm) 

(U) FAVIAU LAN (aka AUDIO LAN) 

(U) Integrated Video Imaging System (MS) 

(U) LAZY DOG 
(U) LIGHTPLANE 
(U) OPDC LAN 
(U)OPDC Stand-alone 
(U) SCIF Net 
(U) SDIS 

(U) Service Center (aka Peregrine Systems Service 
(U) SIOC Public Access LAN (PAL) to include TIPS db 
myTAPNET t 

(U) Uniform Crime Reporting (UCR) 

(U) Automated Booking System (ABS) 

(U) CART LAN (aka CMAL) 

(U) CJIS ISS 
(U) CODIS 

(U) CTD MAC Presentation System 
(U) FBI HQ SACs 

(U) FBI INTERNET (WWW.FBI.GOV) 

(U) FBI TELEPHONE COMMUNICATIONS 

(U) Field Office integrated Security System (FO ISS) 

(U) FOlPA Document Processing System (FDPS) 

(U) Greendoor Internet Network (aka Newington Internet) 

(U) Key Asset Database 

(U) Law Enforcement Online (LEO) 

(U) NIPC Watch LAN 

(U) Personnel Security Unit Systems (PSUS) 

(U) Training Campus WAN (includes Virtual Academy) 
(U) Washington Metro Security Systems (WMSS) 


C&&A Classification 

ITSU Secret 

ITSU 


Status 

In Review for Accreditation 


Sensitive But Unclassified In Review for Accreditation 


ITSU 

ITSU 

ITSU 

ITSU 

ITSU 

ITSU 

CU 

ITSU 

ITSU 

ITSU 

ITSU 

CU 

ITSU 

ITSU 

ITSU 

ITSU 

ITSU 

CU 

ITSU 

ITSU 

ITSU 

ITSU 

CU 

ITSU 

CU 

ITSU 

ITSU 

CU 

ITSU 

ITSU 


Secret 

Secret 

Sensitive But Unclassified 
Top Secret 

Sensitive But Unclassified 
Secret 

Top Secret SCI 
Top Secret SCI 
Secret 

Sensitive But Unclassified 
Top Secret SCI 
Secret 

Undetermined 


In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 
In Review for Accreditation 


Sensitive But Unclassified In Progress 
Sensitive But Unclassified In Progress 
Secret In Progress 

Secret In Progress 


Top Secret SCI 
Secret In Progress 

Sensitive But Unclassified In Progress 
Sensitive But Unclassified In Progress 
Secret In Progress 

Secret ' " 

Sensitive But Unclassified 
Secret _ 

Sensitive But Unclassified In Progress 
Secret In Progress 

Secret In Progress 

Sensitive But Unclassified In Progress 
Secret In Progress 


In Progress 


" Systems in Bold/Blue will e xercise OOJ ai 


POCs for OOJ Team are FBI 

DOJ Team are available In Room 1B948 and via Groupwise Email 
DOJ Team members are: 


linated with UCsT 
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b2 
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Recommended Action: Prioritize hiring of key technical 

personnel. Engage appropriate resources to allocate space 
for personnel, as staffing increases. 

Problem: Guidance needed regarding labeling of periphery 

devices. Some devices remain unlabelled. 

Problem: Zipdrive attached to FBINet machine. 

Recommended Action: Complete Trilogy User training. 

Remind users not to attach unauthorized devices to network. 
Remind users not to install unauthorized software. Treat 
future instances as security violations and report through 
appropriate channels with increasingly severe penalties for 
repeat violations. 

Problem: iDEN CompanionPro terminal (NOFO) has no I&A. 

Recommended Action: Install required identification and 

authentication {username/password) meeting DOJ 2640. 2E 
requirements prior to accessing application. 

Problem: Outdated or no disk encryption on laptop 

computers. 

Recommended Action: Install PointSec on all machines 

unless excepted. Provide written justification to SecD for 
consideration of any exceptions. 

Problem-: Baton Rouge RA, CART laptop has no disk 

encryption. 

Problem: Found numerous instances of collection systems 

(DCS 3000 and DCS 5000) where no workstations or servers 
were labeled in accordance with security documentation. It 
is possible that the system is not operating within the 
boundaries described in the CONOPS/SSP for each system. 

Recommended Action: The Security Division should verify 

that each system is operating within security parameters 
described in the documentation. The DCS 3000 and DCS 5000 
should document discrepancies and initiate recommended 
corrective action or deactivate systems. 
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Systems Found 

JTTF Unclass 
CART Unclass 
CATS Secret 
NCIC terminals 
MetroCall/ Net Sender 

SAMNET b2 

iDEN CompanionPro 

Innocent Images 

Rapid Start 

FedEx tracking system 

DCS3000 (Title III) Unclass 

DCS5000 I I Unclass 

JABS 1 1 


Trilogy Problem: NetOps backup problems. Documented in 

P34569, P30966 dated May 6, 2004. ITs in correct Admin 
Group but do not have permissions. 

Recommended Action: Follow up on PRs; respond to | 

Trilogy Problem: Logon screen defaults to username of last 

user when logging on to system. Found at Lafayette RA on 
various machines. 

Recommended Action: Generate PR. Survey all machines by 

property number to establish which machines to apply PR. 

Trilogy Problem: Cannot print Trilogy Rules of Behavior. 

Recommended Action: Follow up and respond to | [ 

Trilogy Problem: Workstation intermittently "hangs" when 

logging off. User profile problem? 

Trilogy Concern: Cannot open all attachments at the same 

time . 

Trilogy Concern: User must check box to verify, when 

attempting to save to local drive. 

Trilogy Concern: Why Active Directory structu red with 

single domain @ HQ and not multiple domains. | 

Recommended Action: Follow up and respond. 


SECRET 
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Combined Report 



Certification and Accreditation Status,- Legacy Systems 
Status Top Secret/SCI Top Secret 




Secret SBU UND Totals 

7 2 10 

1 1 
7 3 14 

17 6 30 


System 

Automated Booking System (ABS) 
Automatic Call Distribution (ACD) 
Bureau Personnel Management System 


CODIS 

Computer Analysis Response Team Family 
of Systems (CART FOS) (aka CART LAN) 
Data Collection System 3000 (DCS 3000) 
(aka CALEA (Communications Assistance to 
Law Enforcement Ad)) 

Data Collection System 6000 (DCS 6000) 
(aka Oigltal Storm) 

DNA LAN 

FAV1AU LAN (aka AUDIO LAN) 

Greendoor Internet Network (aka Newington 
Internet) 

Friday, August 2V, 2003 
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Accred, Date 
27-May-03 
15- Apr-03 
OI-Jul-OO 
01 -Nov-02 


29- May-03 

30- May-03 
03-Jul-03 


Comments 
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Tier Level 

Definition 

Systems accredited 



during FY 2006 

Tier 2 

Confidentiality Goals: 

BSR 

BASIC, MEDIUM or HIGH 
Svstem Security Concept: 

Safeguard . 
ABS 


PL1 or PL2* 

TC/cn 



1 


♦Connectivity is authorized only if an approved 
Controlled Interface is used to adjudicate the security 
policies between connected systems. 

CWAN 

DCS-6000 


MEDIUM or HIGH for Dedicated Mode or PL1 
BASIC or MEDIUM for System High Mode or PL2 

BICS-Oniine 
RDPS 


Examples: 




More complicated/integrated systems 




Systems with higher operational criticality or 
sensitivity 

System that impacts another directorate or office 

RMS 

SPYB-PTSS 
FOISS 
ICDMI 
DCS 3000 
DCS 5000 
IISNET 



1 1 

Tier 3 

Confidentiality Goals: 


BASIC, MEDIUM or HIGH 
Svstem Security Concept: 

ESOC 

TOUNET 


PL2 or PL3* 

System High & Compartmented Mode* 
♦Connectivity is authorized only if an approved 
Controlled Interface is used to adjudicate the security 
policies between connected systems. 

FAMS-C 

Secret Enclave 

RCI 

IICMS 

DirectorNet 

FDF-A 

NICS-E/Check 
CJIS WAN 
TSC OWT-CI 
I APIS 
IMA 

WEBTA POC 



HIGH for System High Mode or PL2 
BASIC, MEDIUM, or HIGH for Compartmented 
Mode or PL3 
Examples: 

Systems that provide the day-to-day support of critical 
FBI missions. 



System that impacts multiple directorates or offices 
FBI global wide-area networks. 

One-Way Transfer Controlled Interface 

ESAN 

PACMS 

PED 

ESAN 

Tier 4 

Confidentiality Goals: 
HIGH 

CATS-CI 


Svstem Security Concent: 



PL4 or PL5 

Multi-Level Mode 

Inteeritv and Availability Goals: 



BASIC, MEDIUM, or HIGH 
Examples: 

Multi-Level or PL4/PL5 systems 

Multi-Level Control Interfaces (Guards) - Requires 1 

two-way communication between systems at different 

classifications. 

PG-2 
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From: 

To: 

Date: Thu, Mar 2 1 , 2002 9:03 AM 

Subject: Re: meetings 

Thanks ) | 

>>] ^ 1 03/21 8:38 AM »> 

[ | This was only a preliminary meeting to discuss how we are going to approach 
documenting the certification of the DCS 3000 system as that Program Office have Booz, Allen 
and Hamilton on-board to develop the documentation for their system. When we meet with them b 6 
regarding policy and proced ures we will definitely want the accreditation and testing memebers b 7 C 
to be a part of the discussion ! \ 

»> ll | )3/20 1 :20 PM »> 

1 ktuiw yX probably forgot to contact me about Quantico, but in the future would you please 
contact me when you remember? It was just as well I stayed here and did some reading, but I 
caught up with your group in Quantico. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: Immediate 

To: Security 


Date: 05/31/2006 

Attn:P~ 


From: Security 

Infor mation Assurance SectimiCeEtiiipation/SPY-B F-601 

| ( 202 ) | | 


Contact 
Approved By: 
Drafted By: 


COP 


Case ID #: 319U-HQ-1487677-SECD- (Pending) 
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Title: IT SYSTEMS SECURITY RISK ANALYSES 

INFORMATION ASSURANCE SECTION (IAS) 
CERTIFICATION UNIT (CU) 

DIGITAL COLLECTION SYSTEM-3000 (DCS -3 000) 
SECURITY TEST REPORT 


Synopsis: Certification Unit's validation findings conducted on the 

DCS-3000 Risk Management Matrix RMM) , dated 26 May, 2006. 

Reference: (1) 319U-HQ-1487677-SECD-275 

Administrative: Additional References: 

(2) DCS-3000 System Security Plan (SSP) (U//FOUO), 
dated 28 April, 2006 

(3) DCS 3000 Risk Management Matrix (RMM) 

(U//FOUO), dated 5 November, 2002 

(4) DCS 3000 Certification Executive Summary 

Report (U//FOUO), dated 26 May, 2006 

Details: In order to facilitate the decision to re-accredit the DCS- 
3000 system, the Accreditation Unit (AU) requested that Certification 
Unit validate the eight (8) findings documented in Reference (3) as 
being properly mitigated or closed. 

In accordance with the FBI Certification and Accreditation 
Handbook, the DCS-3000 system has been assessed as a Tier Level 2 with 
levels of concern (LOC) of Medium for Confidentiality, Integrity, and 
Availability. The DCS-3000 system is a Sensitive But Unclassified 
(SBU) system operating in the System High Mode of Operation Reference 
( 1 ) - 


Enterprise Security Operations Center (ESOC) Testing 
personnel assisted Certification Unit by performing validation of the 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 
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To: Security From: Security 

Re: 3 19U-HQ-1487 677-SECD 05/31/2006 


eight (8) findings identified in the RMM Reference (3) . The results 
of the validation testing are in the Certification Executive Summary 
Report Reference (4). Validation results concluded that three (3) of 
the six (6) were corrected. One (1) vulnerability was found to be a 
false finding. The last finding, lack of the Intrusion Detection 
System (IDS), has not been corrected or mitigated. 

Certification testing on the DCS-3000 system was performed 
during an initial C&A effort four years ago. Due to the age of the 
previous Certification assessment, as well as proposed changes to the 
current architecture, the Certifier recommends that full Certification 
testing be performed on the DCS-3000 system. 


LLAD(s): 

Set Lead 1: (Action) 

SECURITY 


2 



To: Security From: Security 

Re: 319U-HQ-1487677-SECD 05/31/2006 


Attn: Accreditation Unit. Coordinate the accreditation 

decision for the DCS-3000 System. 

Set Lead 2: (Info) 

SECURITY 

AT WASHINGTON. DC 

Attn: ISSM, I I for your information. 

b6 
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CC: 




iRMP) (FBI) 


Sent: 

To: 


Subject: 



|(SecD) (FBI) 



2006 1 2:40 PM 


raKiui] ]■> 

iF< 

rtl\l lSecD)(CON) 



KSecD) (CON)I 1 
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If you have any additional questions please contact [ 
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Precedence: ROUTINE Date: 06/01/2006 

To: Operational Technology Attn: | 


Security Attn: 


From: Security 

Infor mation Assurance /Accr editation/S PY-B F-501 
Contact: I I , 202- | | 


Approved By: 

Drafted By: I | : nilm 

Case [D #: 319U-HQ-A1487677-SECD Serial#305 
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Title: IT SYSTEM SECURITY RISK ANALYSES 

INFORMATION ASSURANCE SECTION (IAS) 

ACCREDITATION UNIT (AU) 

ACCREDITATION DECISION: GRANT APPROVAL 
TO OPERATE (ATO) WITH CONDITIONS FOR DIGITAL 
COLLECTION SYSTEM 3000 (DCS- 3 000) 

Synopsis: Grant an ATO with conditions for DCS-3000 for a period 
of 3 years. 

Reference: 319U-HQ-A1487677-SECD Serial 300 


Administrative: References: 

(1) System Security Plan (SSP), dated 04/28/2006 

(2) Security Test Report, date 05/26/2006 

(3) Risk Management Matrix (RMM) , dated 06/01/2006 

(4) Risk Management Plan (RMP) , dated 06/01/2006 

(5) Plan of Action and Milestone (POA&M) , dated 
06/01/2006 


Details: The Security Division's Accreditation Unit (AU) conducted a 

review of the Certification Documents, reference above, for the DCS- 
3000 in accordance with the requirements set forth by Bureau, 
Departmental, National policy, and the FBI Certification and 
Accreditation Handbook. The Designated Accrediting Authority (DAA) 
grants an ATO with conditions for a period of 3 years starting on 
06/01/2006 and expiring on 06/01/2009. 
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Re: 319U-HQ-A1487677-SECD, 06/01/2006 


The accreditation boundary of the DCS-3000 includes the DCS- 
3000 application suite that consists of five (5) component applications 
residing on one or more workstations. The components of the DCS suite 
used to support a particular requirement depend upon the type of 
surveillance to be conducted, the switch providing the data, the 
telecommunications service provider, and availability of equipment at 
the field office. 

The DCS-3000 is operating at the Sensitive But Unclassified 
level in the System High mode of operation. The system has been 
designated as Tier 2 system that operates at a Medium level of concern 
(LoC) for Confidentiality, Integrity, and Availability. 

The following summarizes the risks associated with 
Management, Operational, and Technical controls of DCS-3000. 

Additional details are contained in Risk Management Plan (RMP) , 
Reference (4) : 

Management Controls: No open Management control vulnerabilities 
were identified within the previous RMM; however, during the security 
review it was discovered that the system had not undergone a full 
security assessment in over 4 years. Therefore, it is recommended the 
system undergo a full security assessment within 180 days. 

Operational Controls: Although the previous RMM identified no 
remaining vulnerabilities within this control, it was identified during 
the security review that system security documentation contained 
discrepancies that needed to be addressed. These discrepancies have 
been documented within the DCS-3000 SSP Errata Sheet. 

Technical Controls: Only two vulnerabilities remain within this 
area. Vulnerability #5 has been deemed accepted risk. Vulnerability 
#7 is being researched by the system owner and has been addressed 
within the POA&M, Reference (5) . 

In conclusion, based on the findings of the security review and the 
defined migration plan, in addition to the existing mitigations as 
identified in POAM, the Accreditation Unit recommends an Approval To 
Operate for 3 years with the following conditions: 

1. A full security assessment be completed within 180 days 
to ensure appropriate security controls have been implemented that 
address changes in the architecture that have occurred. 

2. All vulnerabilities be successfully resolved or mitigated 
within the 180 day period. 

Failure to meet these conditions will result invalidation of 
this ATO and require full re-certification and re-accreditation of the 
DCS-3000 system. 
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To: Operational Technology From: Security 

Re: 3 19U-HQ-A1487 677 -SECD, 06/01/2006 


Any major change (s) to DCS-3000 shall be brought to the 
attention of the Information System Security Manager (ISSM). 



To: Operational Technology From: Security 

Re: 319U-HQ-A1487677-SECD, 06/01/2006 


LEAD(s) : 

Set Lead 1: (Action) 

OPERATIONAL TECHNOLOGY 
AT QUANT I CO , VA 

Coordinate with ISSM to resolve outstanding POA&M actions and 
coordinate full security assessment of the DCS-3000. In addition, if 
major changes are made to the system characteristics or accreditation 
boundary during the ATO period, please notify the Information System 
Security Manager (ISSM) . 

Set Lead 2: (Info) 

SECURITY 

AT WASHINGTON. DC 

Coordinate with System Owner to resolve outstanding POA&M 
actions and set up full system security assessment. Report status of 
POA&M to Accreditation Unit. 


CC: 
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Attached is the upload ed documentation for the DCS-3000. For additional information contact eithe£ 
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(Rev. 01-31-2003) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/2/2006 

To: Operational Technology Attn: 

Security Attn: 


From: Security 

Infon 
Contact : 


,/Accr yiitation/Sj PY-B F-501 


Approved By: 

Drafted By: 

Case ID #: 319U-HQ-1487677-SECD-275 


Title: IT SYSTEMS SECURITY RISK ANALYSES 

INFORMATION ASSURANCE SECTION (IAS) 
ACCREDITATION UNIT (AU) 

DIGITAL COLLECTION SYSTEM 3000 (DCS-3000) 
ACCREDITATION DECISION: 

SECURITY CHARACTERISTIC AND TIER LEVEL 
DESIGNATION FOR DCS-3000 
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Synopsis: Designate the DCS-3000 Tier Level, Mode of Operation, 

determine the Confidentiality, Integrity, Availability Levels, 
Boundary description, and name the key Certification and 
Accreditation Team Members. 


Administrative: DCS-3000 Accreditation Boundary Diagram, dated 

05/1/2006. 

Details: As a result of correspondence and meetings with the 

Accreditation Representative, Information System Security 
Manager, Information System Security Officer, Certification 
Representative, the DCS-3000 Program Manager and System 
Administrator, the following security characteristics and Tier 
Level have been determined and agreed upon. 

The Levels of Concern (LoC) are Medium for 
Confidentiality, Medium for Integrity, and Medium for 
Availability. DCS-3000 is a Sensitive but Unclassified (SBU) 
system operating in the System High Mode of Operation. The DCS- 
3000 has been assessed as a Tier Level 2 in accordance with the 
FBI Certification and Accreditation Handbook. 
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DATE 05-22-2007 BY 65179 DMH/TAH/K3R./ cb 




To: Operational Technology From: Security 

Re: 319U-HQ-1487677-SECD, 05/2/2006 


The DCS-3000 application suite was developed to assist 
Law Enforcement Agencies (LEA) with collecting and processing 
data for court-ordered Electronic Surveillanc e (ELSUR) k 2 

operations. The DCS-3000 eollects l b ta from the 

Telecommunications Service Provider (TSP) and stores it at the k>7E 
LEA site. 


The DCS-3000 application suite consists of five (5) 
component applications residing on one or more workstations. The 
components of the DCS suite used to support a particular 
requirement depend upon the type of surveillance to be conducted, 
the switch providing the data, the telecommunications service 
provider, and availability of equipment at the field office. 

The Certification and Accreditation Team Members are: 

System Owner : I I 

Information System Security Officer 
System Administrator: 

Information System Security Manager 
Certification Representative: 

Accreditation Representative: 
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To: Operational Technology From: Security 

Re: 319U-HQ-1487677-SECD, 05/2/2006 


LEAD(s) : 

Set Lead 1: (Info) 

OPERATIONAL TECHNOLOGY 
AT QUANT I CO , VA 

Notify the ISSM if there are any changes to DCS-3000 
that could impact its designation of the Tier Level, Levels of 
Concern, Mode of Operation, and accreditation boundary. 

Set Lead 2: (Info) 

SECURITY 

AT WASHINGTON . DC 
For information only. 
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♦♦ 
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From: I t SecOMCON) 

Sent: Wednesday. May 31 ■ 2 006 3:48 PM 

To: J IfiftfiP) (FBI) 

Cc: I I (SecD) (CON) 

Subject: FW: DCS 3000 EC (CORRECTED COPY) 


UNCLASSIFIED 

NON-RECORD 


IS 

DCS-3000 CERT EC 
053Q20Q6.wp d 

I | here is the corrected copy of the ec 



Information Assurance Analyst 

SecD/IAS/CU (Certification Unit) 
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DCS3000 
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DCS3000 

Systems Security Plan 
Appendix C 

Risk Management Matrix (RMM) 


November5, 2002 

Version 1.0 -November 5, 2002 


Prepared For: 

Ms \ | 

Chief, Legacy System Certification Unit (LSCU) 
Federal Bureau of Investigation 
935 Pennsylvania Avenue, NW 


Room 1302 


Washington, DC 20530 


Prepared By: 
LSCU Green Team 
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• Exponentially increases the utility and value of computer-based intercepts 

The DCS3000 system is deployed in central monitoring plants (CMP) located in FBI 
field offices and at the FBI Engineering Research Facility (ERF). Access to the field 
office buildings and the ERF is controlled by use of security guards, visitor badges, and 
visitor logs. Visitors are escorted at all times while in a field office building and at the 
ERF. Field office personnel monitor operations within the CMP, and operations are 
physically separated according to type and function (i.e., Title III versus Foreign 
Intelligence Surveillance Act [FISA] and computer operations versus case monitoring). 

FBI professionals, who have been well screened, cleared, and trained for the operations 
they perform, operate and use the system in a physically secure, climate-controlled 
environment. The system is easy to use, and personnel duties are clearly defined and 
appear to be commonly understood so stress levels for system users, regardless of their 
positions, are fairly low, especially in light of the types of work they do. 

1 .2. Risk Assessment Approach 

The risk assessment for this system was conducted through: 

• An initial pre-certification test (i.e., vulnerability assessment) of the DCS3000 system 
during the period August 22-23, 2002. 

• Personal interviews with cognizant DCS 3 000 program management and technical 
personnel. 

• Analysis of FBI field-office personnel surveys 


1. INTRODUCTION 

1.1. System Description 

nrsmnn is a rnmnuter-hased intelligent enl lection systems used bv FBI personnel to 


• Facilitates the review and examination of the information 

• Dramatically increases the efficiency of trial preparations 
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2. RISK ASSESSMENT RESULTS 

This section provides detailed DCS3000 risk assessment results that were derived from 
the initial pre-certification testing. Vulnerabilities and threats have been paired by 
severity of risk after all applicable existing safeguards relative to them have been taken 
into account. It is important to note that multiple vulnerability/threat pairs may be 
discussed by vulnerability if similar safeguards can mitigate the pairs. Test results were 
generally favorable and justified no further testing of this system for the purposes of this 
C&A effort. 

For each vulnerability/threat pair, the following information is included in narrative form: 

• The vulnerability/threat pair number (e.g., 1, 2, etc.) 

• Vulnerability/threat pair description (in italics) 

• Description of the probable impact on the pair and analysis of the impact (also in 
italics) 

• Planned or recommended controls or alternative options for reducing risks 

2.1 . Risk Assessment 

2.1.1. High Risk Vulnerability/Threat Pairs 

The following are high-risk vulnerability/threat pairs that are drawn from the RMM table. 

There are seven operational aspects of this collection system that appear to be at high risk 
but easily mitigated. Overarching mitigating factors for these risks include the DCS3000 
working environment at each operating location (i.e., FBI field office, resident agency 
(RA) office, etc.) that is tightly controlled and protected by multi-layered physical 
security, and the personnel within it, who participate in electronic surveillance (ELSUR) 
operations and who must undergo a very thorough and comprehensive screening process 
in order to be granted an FBI Top Secret clearance before being authorized to perform 
their tasks. 

The following are the associated high-risk vulnerability pairs drawn from the RMM table 
below: 

/. There is no anti-viral software loaded on the DCS3000 machines. If malicious code, 
viruses, and/or executables are introduced, there will be potential for risk to the system 
or compromise of data, thereby compromising evidence contained therein. 

Planned or Recommended Remedial Action : 

• Install FBI approved anti-virus software on all servers and workstations. 

• System administrators ensure all virus signatures are updated weekly or as needed. 

b2 

I b7E 


Planned or Recommended Remedial Action : 
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3. Successive failed logon attempt lockout is not enabled. Without a lockout policy, an 
unauthorized user would have infinite attempts to gain access to the system. 

Planned or Recommended Remedial Action : 

• Account lockout duration 

• Account lockout threshold (i.e. 3 attempts) 

• Unlock procedures 

5. Workstations associated with the system do not enforce adequate user permissions. 
Improperly configured machines do not adhere to the least privilege principle. This 
practice could potentially give a user access and rights not warranted for by their 
position. 

Planned or Recommended Remedial Action : 

Recommend the implementation of workstation permissions to give least privilege 
access. 

6. The improper account (i.e. guest or administrator) configurations do not provide the 
facility for adequate auditing. 

Planned or Recommended Remedial Action ; 

Recommend deleting the guest accounts and renaming the administrator accounts. 

7. The system lacks an intrusion detection capability. This functionality provides 
warning of an unauthorized access or user to the system. 

Planned or Recommended Remedial Action : 

Recommend implementing an intrusion detection scheme. 

8. The Telnet login process is accomplished in the "clear". This practice compromises 
the user ID and password information. 

Planned or Recommended Remedial Action : 

Recommend a secure Telnet implementation. 
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2.1.2. Medium Risk Vulnerability/Threat Pairs 

The following medium-risk vulnerability/threat pair is drawn from RMM table below. 

4. Auditing was found to be inadequate. Tracking users actions will allow records to be 
kept for accountability purposes. These records can be used for investigations and to 
track system or network problems for troubleshooting purposes. 

Planned or Recommended Remedial Action : 

Recommend implementing workstation and server auditing and log dumps on a daily 
basis to reduce impact on resources. 

Overall, recommend Senior FBI management personnel should take a very active role in 
support of a comprehensive FBI INFOSEC program. As part of this program, a 
comprehensive FBI information security (INFOSEC) training program should be 
developed and implemented throughout the FBI. Also, unit-level, job-specific INFOSEC 
training should be strongly encouraged or mandated. 
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HIGH 

Recommend the implementation of workstation permissions to give least privilege access. 


6. Improper 

account configuration. 
VL = Hlgti 

HIGH 

RR = Low 

Verified 

Guest account Is disabled 
and the Administrator account 

7. Lack of Intrusion 
Detection Systems 
(IDS) 

VL = High 

HIGH 

Recommend implementing an intrusion detection scheme. 
RR = Low 

No IDS Is Installed. 

8. Telnet login Is not 
encrypted 

VL o High 

HIGH 

Recommend a sacum Telnet implementation. 

Verified 

Telnet Is not being used. 
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From: 

Sent: 

To: 

Cc: 

Subject: 


kRMD) (FBI) 

Thursday. Mav 25. 
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t 


^SecD) (FBI)Q 


FW: Dcs 3000 TEST at Quantlco 
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J from ESOC test group will test DCS 3000 tomorrow for us at quantico. 


Information Assurance Analyst 

SmD/IAS/CU (Certification Unit) 


Original 

From: 

Sent: 

To: 

Subject: 


Mes sage 

I t SecDXCON) 

Ttiursqay. May a. 2006 3:35 Pi* 


FW: DCS 3000 RMM 


35 PM 
JecD)( 
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Here is thanks a lot. 


SecD/IAS/CU (Certification Unit) 
''Certi flratlnn Inarl Team #2* 

pI T ~P 


b2 

b6 

b7C 


Mpgsaae--- 

| |S ecD)(CON) 

■ IIIUMV. am 


UNCLASSIFIED 

NON-RECORD 


ALL IIJF0RHATI GIT C0HTAIIIED 

HEREIN IS UNCLASSIFIED 

DATE 05-22-2007 BY 65179 DHH/TAH/SR/cb 




2 



H(RMD) (FBI) 


From: 

Sent: 

To: 

Subject: 


]secD)(CON) 
tOO PM 
\ (SecD) (CON) 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b2 

b6 

b7C 



SecD/IAS/CU (Certification Unit) 
-Certifi cation lead. Team #2’ 



— Original Mes sage — 

From: I If SecD) (FBI) 

Sent Thursday. June 01. 2006 11:2 9 AM , , , 

To: | ~V d) (FBI) I I (SecD)(FBI) | | secD)(CON)J |[SecD) 

Subject: DCS 3000 

SENSITIVE BUT UNCLASSIFIED 
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EC has been uploaded. For additional information, please contatct 


DCS-3000 CERT EC 
05302006.wpd 
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It was QUICK!!! Let me know if ya need something morel!! 



Information System Security Manager (ISSM) 
QuanUco Complex 
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Data Collection System 3000 
(DCS-3000) 

Plan Of Actions & Milestones (POA&M) 

June 1, 2006 
Version 1.0 
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Federal Bureau of Investigation 
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1. INTRODUCTION 

1.1. System Description 

DCS-3000 is a computer-based intelligence collection systems used by FBI personnel to 
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• Facilitates the review and examination of the information 

• Dramatically increases the efficiency of trial preparations 
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• Exponentially increases the utility and value of computer-based intercepts 

The DCS-3000 system is deployed in central monitoring plants (CMP) located in FBI 
field offices and at the FBI Engineering Research Facility (ERF). Access to the field 
office buildings and the ERF is controlled by use of security guards, visitor badges, and 
visitor logs. Visitors are escorted at all times while in a field office building and at the 
ERF. Field office personnel monitor operations within the CMP, and operations are 
physically separated according to type and function (i.e.. Title III versus Foreign 
Intelligence Surveillance Act [FISA] and computer operations versus case monitoring). 
FBI professionals, who have been well screened, cleared, and trained for the operations 
they perform, operate and use the system in a physically secure, climate-controlled 
environment. The system is easy to use, and personnel duties are clearly defined and 
appear to be commonly understood so stress levels for system users, regardless of their 
positions, are fairly low, especially in light of the types of work they do. 

1.2. Risk Assessment Approach 

The risk assessment for this system was conducted through: 

• A security assessment of the DCS-3000 system was conducted during the period May 
2, 2006 to verify closure of open vulnerabilities. 

• Personal interviews with DCS-3000 program management and technical personnel. 
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2. RISK ASSESSMENT RESULTS 

This section provides detailed DCS-3000 risk assessment results that were derived from 
the initial pre-certification testing. Vulnerabilities and threats have been paired by 
severity of risk after all applicable existing safeguards relative to them have been taken 
into account. It is important to note that multiple vulnerability/threat pairs may be 
discussed by vulnerability if similar safeguards can mitigate the pairs. Test results were 
generally favorable and justified no further testing of this system for the purposes of this 
C&A effort. 

For each vulnerability/threat pair, the following information is included in narrative form: 

• The vulnerability/threat pair number (e.g., 1, 2, etc.) 

• Vulnerability/threat pair description (in italics) 

• Description of the probable impact on the pair and analysis of the impact (also in 
italics ) 

• Planned or recommended controls or alternative options for reducing risks 

2.1. Risk Assessment 

2. 1.1. High Risk Vulnerability/Threat Pairs 

The following are the remaining high-risk vulnerability/threat pairs that are drawn from 
the initial RMM table. There are seven operational aspects of this collection system that 
appear to be at high risk. Overarching mitigating factors for these risks include the DCS- 
3000 working environment at each operating location (i.e., FBI field office, resident 
agency (RA) office, etc.) that is tightly controlled and protected by multi-layered physical 
security, and the personnel within it, who participate in electronic surveillance (ELSUR) 
operations and must undergo a thorough and comprehensive screening process in order to 
be granted an FBI Top Secret clearance before being authorized to perform their tasks. 

The following are the validated closed and remaining associated high-risk vulnerability 
pairs below: 

1. There is no anti-viral software loaded on the DCS-3000 machines. If malicious 
code, viruses, and/or executables are introduced, there will be potential for risk to 
the system or compromise of data, thereby compromising evidence contained 
therein. 

Current Status : 

• Verified Closed: McAfee 4.5.1 installed with Virus updated 05/05/2006 


Current Status : 

• Verified Closed: Passwords require eight characters, complex etc. 
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3. Successive failed logon attempt lockout is not enabled. Without a lockout policy, 
an unauthorized user would have infinite attempts to gain access to the system. 
Current Status : 

• Verified Closed: Accounts lock out after three attempts and must be reset by 
admin. 

5. Workstations associated with the system do not enforce adequate user 
permissions. Improperly configured machines do not adhere to the least privilege 
principle. This practice could potentially give a user access and rights not 
warranted for by their position. 

Current Status: 

• Remains Open: Software required to run with admin privileges. See SSP. 
Planned or Recommended Remedial Action : 

• Recommend the implementation of workstation permissions to give least 
privilege access. 

6. The improper account (i.e. guest or administrator) configurations do not provide 
the facility for adequate auditing. 

Current Status: 

• Verified Closed: Guest account is disabled and the Administrator account is 
renamed. 

7. The system lacks an intrusion detection capability. This functionality provides 
warning of an unauthorized access or user to the system. 

Current Status: 

• Remains Open: No IDS is installed. 

Planned or Recommended Remedial Action : 

Recommend implementing an intrusion detection scheme. 

8. The Telnet login process is accomplished in die “clear”. This practice 
compromises the user ID and password information. 

Current Status: 

• Verified Closed: Telnet is not being used. 

2. 1.2 . Medium Risk Vulnerability/Threat Pairs 

The following medium-risk vulnerability/threat pair is drawn from RMM table below. 
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4. Auditing was found to be inadequate. Tracking users’ actions will allow records 
to be kept for accountability purposes. These records can be used for investigations 
and to track system or network problems for troubleshooting purposes. 

Current Status: 

• Verified Closed: Routers syslog and systems event viewer is set to record all 
events. 

This assessment was conducted to verify remaining vulnerabilities; however, due to age 
of the original test report and proposed changes to the current architecture a full system 
security assessment is required. These requirements are being added to the DCS-3000 
Plan of Action and Milestones (POA&M) as risk management items that require the 
appropriate attention for resolution. 
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Concerns 

(U) There are several areas of the total DCS-3000 program that require additional 
correction/improvement. Because the final engineering of the system is not 
completed, and the former certification testing was accomplished approximately four 
years ago, a full system test is required once the system architecture has achieved 
stasis. In addition, the DCS-3000 SSP requires the corrections noted by the 
Certification Unit (CU) to include updated system drawings, expanded concept of 
operations, and the corrections listed on the provided errata sheet. 

(U) The documentation will be completed as soon as possible, and the certification 
testing must be accomplished within 1 80 days of this POA&M approval. 

(U) The existing open RMM identified items also require resolution. 


Conclusion 

(U) The nrs -Tnnn has very few existing vulnerabilities, and is an SBU system. The 
addition of th j | (server) connection does not appear to introduce an 

increase in risk significant enough to not recommend that it be allowed. This added 
capability will significantly improve the mission capability, while introducing a very low 
risk connection. 


(U) I believe this system is operated and maintained at an acceptable level of risk. I, 
therefore, recommend that the DCS-3000 be given a three year ATO with the caveats 
listed in paragraph 2 & 3 of the “Concerns” above. 


(U) I also recommend that the failure to meet these conditions should invalidate the ATO 
and require full recertification and re-accreditation of the DCS-3000 system. 
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~|(RMD) (FBI) 


From: 

Sent: 

To: 

Subject: 


I k ecDHCON) 

Thursday. June 01. 2006 1 


WPM 

|SecD) (CON) 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


.. Just got back from a (hostile) CSO meefn, but I’ll tryll 


Information System Security Manager (ISSM) 

Quantlco Complex 

CISM. CISSP, ISS. PSEC. MCSE 


...“lead, follow, or gel out of the way." Thomas Paine 
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— Original Message — 

From: I I fSecm (CON) 

Sent: Thursday, June 01, 2006 1:42 PM 

To: l ^ SecDMCON) 

Subject: DCS-3000 POA&M 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Will you be able to complete before 3pm? 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


ALL Ilf FORMATION C OBTAINED 

HEREIN IS UNCLASSIFIED 

DATE 05-23-2007 BY 65179 DHH/TAM/KSR/cb 




SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 
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The figure in the Word document is accurate. 

□ 


From: I I fSecm (CON) 

Sent: ^UedBesdan^ndL26 l 2006 8:09 AM 

To: I —J rSecDVOO NtJ 

Cc | I 5ecD)(CON) ; r 

Subject: DCS-3000 Tier EC and Boundary Documen 

Importance: High 
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SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


All, 

I have completed an updated architectural drawing. Please take a look and let me know if it is accurate. I want to get 
the Tier EC out this week and get things moving on this system. 

Regards, « File: DCS-3000 Accreditation Boundary Diagram.vsd » « File: DCS3000 Accreditation Boundary.doc 
» 




ALL INFORMATION CONTAINED 

HERE IF IS UNCLASSIFIED 

DATE 05-23-2007 BY 65179 DHH/TAH/KSR/cb 


Prom: 


Sent: 

To: 

Subject: 


—I iii 


](SecD)(CON) 


' Tuesday, May S3. 3)06 10:5 5 AM 

jSecD) (CON) 


SRTM FOR DCS 3000 


UNCLASSIFIED 

NON-RECORD 



DCS 3000.xls 
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UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 05-23-2007 BY 65179 BHH/TAH/KSR/cb 


